This Episode we are joined by Michael Walford-Williams, a consultant specialising in operational resilience and third-party risk management. His consultancy Westbourne Consultancy Limited sees him working for various clients providing risk management services for the financial service industry.

In this episode, we look at how risk appetite evolves over time, the power of red teaming, how to empower everyone to care about risk and ask the question: ‘Is your risk management toast?’

Key Takeaways:

Risk Appetite is a Moving Target: Just because a threat hasn't hit you yet, doesn't mean it won't. Learn how to adapt your risk management strategy to evolving threats.

Testing Makes Perfect (or at Least More Prepared): Don't wait for a real attack to expose your weaknesses. Simulated attacks like phishing campaigns and red teaming can expose vulnerabilities before they're exploited.

From Paper to Reality: Testing cybersecurity resilience shouldn't just be best endeavours on a piece of paper (business continuity documentation).

Better Red than Bread! Red Teaming Unleashed: Testing, from phishing simulations to physical assessments, to full-blown-red-teaming activities all play a pivotal role in empowering employees and increasing organisational vigilance. And remember, it’s not about pointing fingers—it’s about empowerment.

Risk Ownership: Risk isn’t just IT’s problem. It’s everybody’s job. From the boardroom to the frontlines, we’re all in this together. We will show you how to redefine risk ownership.

This Episode we are joined by John Sills, managing partner at customer-led growth company, The Foundation and author of the book ‘The Human Experience’ 

John joined us last week and shared with us fantastic tales of his time working for a major bank and how the IT team decided to rollout a new cybersecurity control without talking to the customers insights team - spoiler alert, didn’t end well - do go back and listen if you haven’t already! 

This week we continue the conversation from last week as John guides us on how to design for positive intent to build trust, how to lean into inconvenient truths around the data you source from feedback, and why you should treat people how you’d like to be treated, but instead, treat every customer like they are your gran.  

This Episode we are joined by John Sills, managing partner at customer-led growth company, The Foundation and author of the book ‘The Human Experience’ 

In cybersecurity we have many customers, our external customers who engage with the products of services our organisations provide and our internal customers, our colleagues. But how many of us can truly claim to know how to be customer-led? Well in this episode, John shares his decades of knowledge to help us really understand what people care about - especially when it comes to cybersecurity.

We do a deep dive into the human cost of bad customer service, what customers really think about cybersecurity threats, how cumbersome security controls at a bank led to a chart-topping and innovative app, and if you’re a cybersecurity consultant you won’t want to skip this one because we talk about the good, the bad, and the ugly of consultancy. 

For the longest time podcast host, Lianne Potter has been saying: “Cybersecurity has a PR problem!” So what better way of tackling this problem than to get on the show an actual PR and marketing expert?

This week we are joined by Sarah Evans, the head of digital PR at Energy PR. Sarah has over 12 years of experience in SEO, digital PR, digital marketing, content and social media.

In this episode ‘Can Cybersecurity Overcome its PR Problem? Building Your Brand and Social Capital’ - we’re going to learn how to target our cybersecurity message for maximum effect, how to rebuild your team's image, learn what marketing and PR really think about cybersecurity, and learn how to be prepared during a public cybersecurity incident with a 101 on crisis comms.

We will also shed off our desire to the the hero in the story and transition in a more useful role, that of cybersecurity sage as we deep dive into brand personas!

Key Takeaways:

Beyond the Firewall: It's About People: Effective PR in cybersecurity starts with understanding your audience - both internal (employees) and external (customers).

From "Wayward Teenager" to Trusted Partner: Marketing isn't reckless, and cybersecurity isn't just about saying "no." Discover how clear communication and empathy can foster collaboration.

AI for Security Awareness? Yes, But... Discover how AI tools like ChatGPT can help brainstorm content - but always have a human expert review it before hitting "publish"!

Perception Exercise: What three words would people use to describe your cybersecurity team?

Cybersecurity Needs a Hero (But Not That Kind): Cybersecurity teams have incredible stories to tell! Ditch casting your colleagues as the "tech villain" and position yourselves as the trusted guardians that you are!

This week we are joined by James Charlesworth, a seasoned Director of Engineering at Pendo with 15 years of experience in software engineering. James is also the creator of the Train to Code YouTube channel, where he shares a wealth of excellent training videos on software development.

In this episode, Say Goodbye to ‘Git Blame’: Building Collaborative and Secure Software Development Lifecycles, we dive into some great topics aimed at saying goodbye to the blame game and hello to good app and product sec!

James talks us through his process of building up cross-functional empathy between his engineering function and the security team; why the engineering team might not be the best team to speak to if you’ve got a lot of vulnerable code and a step-by-step guide on how he excels in delivering product security in his organisation.

We are joined again by Dr Bettina Palazzo a business ethics expert! She works with compliance managers to create a culture of integrity that focuses on the leadership and behavioural dimensions of compliance.

In this episode, “The Dilemma Game”: Unleashing The Power of Ethics and Good Cybersecurity Through Play”, we delve into the complexities of power dynamics within organisations, exploring the efficacy of policies and the role of ethical standards in both corporate and personal settings.

We question the effectiveness of merely adding regulations in response to ethical crises and stresses the importance of cultural context in shaping responsibilities towards cybersecurity.

Then our discussion extends to the necessity of embracing local nuances while maintaining universal ethical standards, and the limits of systemic solutions in a diverse, evolving landscape.

And finally, this episode also introduces the "dilemma game," an innovative approach to enhance understanding and application of policy texts through real-world scenarios, fostering a culture of integrity and psychological safety where open communication and trust are paramount.

This thought-provoking episode is a must-listen for anyone interested in the intersection of culture, ethics, and organisational behaviour.

Key Takeaways:

• Beyond the Buzzwords: Company culture is more than just statements on a wall. We explore how actions speak louder than mission statements.

• Regulations vs. Reality: Should we pile on more rules, or find a way to make compliance actually work? We discuss the limitations of a one-size-fits-all approach.

• Cybersecurity: A Shared Responsibility: Who's on the hook for protecting your company from cyberattacks? We break down how culture plays a big role in online safety.

• The Dilemma Game: Ditch the boring compliance training! Learn about a fun, interactive way to test your company's policies against real-world situations.

• Building an Integrity Culture: Trust and clear communication are key. Discover how to create a safe space where employees can speak up without fear of reprisal.

Welcome back to season 3!

To kick things off we are joined by Dr Bettina Palazzo a business ethics expert! She works with compliance managers to create a culture of integrity that focuses on the leadership and behavioural dimensions of compliance.

She states that unethical organisations make people unhappy - and we couldn’t agree more. So she has dedicated her life work to helping organisations create cultures that make work fun and meaningful.

Ethics is such an important subject when it comes to business because poor ethical decisions can mean poor compliance, and ultimately, can lead to poor security decisions.

So how do you build a culture that is comfortable with having honest conversations about ethics?

Well that’s what we will explore in this episode, Rules Without Relationships Create Rebellion: Why Ethics Matter in Cybersecurity.

By the end of this episode you will Learn how to create a ‘speak up’ culture so that people can raise cybersecurity concerns with you.

How to build a compliance influencer programme (and no, that does not mean trips abroad at beautiful locations surrounded by policy documentation for the gram)

And how the cybersecurity team can not only be ethical role models but also give people a reason to care for the big question: why we do the things we do to protect them!

Welcome to the grand finale of season two of ‘Compromising Positions’, where we delve into the fascinating world of AI security. In this special episode, your hosts will guide you through the labyrinth of securing AI models, one step at a time.

For those who prefer a quick overview, we offer an abridged version on Apple Podcasts and Spotify.

This version deep dives into two key topics:

Jeff’s unique mnemonic C-PTSD for threat modeling AI systems, and an intriguing discussion on the correlation between boredom, worm-killing, and AI efficiency gains.

For those who crave a deeper dive, scroll down or visit our Youtube channel for the extended cut.

This version includes everything from the regular version, plus:

• Jeff’s academic journey in AI at the University of Hull

• Lianne’s preparation for a 100 days of Code in Python for her MSc in Data Science and AI at Leeds Trinity University

• A critical discussion on OpenAI’s transparency and the latest AI wearable technology, along with the complexities of consent and privacy in an ‘always recorded’ lifestyle

Whether you choose the regular or extended version, we appreciate your support throughout season two. Stay tuned for more enlightening discussions in season three! Thank you for being a fantastic audience.

This week we are joined by Dr David Burkus, one of the world’s leading business thinkers and best-selling author of five books on the topic of business and leadership. Dr Burkus has worked with the leadership teams of some internationally known names such as PepsiCo, Adobe and NASA.

In this episode, “It’s a Wonderful Hack! Building a high-performance cybersecurity team“, we discuss the three elements of the “Team Culture Triad”: common understanding, psychological safety and prosocial purpose, and how these elements are the backbone of every successful team.

We delve into how interpersonal trust is a reciprocal process, that trust needs to be met with respect and an open mind, and how we can build a culture that learns from mistakes and people feel safe to challenge at all levels in the business.

We also discuss how being part of a team is more like chess than checkers. We can’t treat all people like they have the same skills or ways of working, we’re a team yes, but it’s a team of individuals.

And the “It’s a Wonderful Life” test. A brilliant thought experiment to show the impact of your team’s contributions, which may not always be tied to revenue.

Key Takeaways:

• Try a Little Tenderness: Empathy is important, but it's not just about feeling someone else's pain. To truly collaborate effectively, you need to understand your teammates on a deeper level, including their unique strengths, weaknesses, and working styles. By achieving this common understanding, you can anticipate their responses and adjust your approach to optimize teamwork.

• Hey Boss, your Idea Sucks: When was the last time someone in your team challenged your decision? If it was a while ago, you might want to take a look if you’re building a team that fosters psychological safety.

• Developing Pro-Social Purpose: A team that prioritizes collective success over individual gain fosters a collaborative environment.  When team members are driven by a common purpose, they're more likely to support each other and work towards shared goals. This sense of purpose strengthens the team and empowers individuals to contribute their best work.

• It’s a Wonderful Life: Imagine if your cybersecurity team didn't exist.  What would the consequences be?  While this exercise helps you identify potential negative impacts, it's equally important to consider the positive contributions your team makes.

This week we are joined by Dr David Burkus, one of the world’s leading business thinkers and best-selling author of five books on the topic of business and leadership. Dr Burkus has worked with the leadership teams of some internationally known names such as PepsiCo, Adobe and NASA.

In this episode, “Storytelling Superconnectors: Unleashing Purpose Beyond Metrics in Your Cybersecurity Function”, Dr Burkus challenges the concept of Dunbar’s Number as we discuss the power of human networks, and how finding the superconnectors in your organisation will help you get your cybersecurity agenda in front of the right people.

Indulging in a bit of schadenfreude, Dr Burkus shows us how we can use the hacks and breaches of our competitors to demonstrate our value and purpose offering to the c-suite and he also shares his unique insights on breaking down siloes, and harnessing the power of positive engagement in the workplace.

And as if that wasn’t enough (!) how to move away from just metrics to make your security function shine! If you want to change the way your organisation sees your security team, this is the episode for you! 

This is a two part episode (this is part one!) so don’t forget to check back in next week to hear the whole interview!

Key Takeaways:

• Find your Superconnectors: Superconnectors are individuals who have lots of powerful connections and can help you expand your network quickly. By networking with superconnectors, you can find new opportunities and build purpose-driven teams in the cybersecurity function.

• Embrace the Power of Storytelling: Facts and figures are important, but stories resonate on a deeper level. Security teams can leverage storytelling to educate employees about cybersecurity threats, celebrate successes, and foster a sense of shared purpose.

• Break Down Silos: Challenge the stereotype of security as the "office police."  Focus on collaboration and highlight the positive contributions your team makes in protecting the organization. Aim for a 3:1 ratio of positive interactions to negative ones to build trust and rapport.

• Learn from Your Competitors' Misfortunes: While celebrating wins is important, so is learning from failures. Use competitor breaches as a springboard for threat intelligence exercises, demonstrating the value your team brings in proactively preventing such attacks.

This week we are joined by Jenn Calland, a seasoned Data Analyst, Analytics Engineer, former Platform Engineer and Full Stack Developer with expertise spanning Google Cloud, Looker, BigQuery, and many other technologies.

In this episode, Data, Data Everywhere, But How Do We Make It Safe to Share? We are going explore the relationship between data, cybersecurity and our personal and organisational desire for convenience which can sometimes lead to insecure and risky behaviour. 

Jenn warns data analysts about working under the assumption that by the time they get their hands on the data, that it’s all ‘safe and secure.’ She cautions the data team that they shouldn’t think they don’t need to be ‘secure’ because it has been taken care of either by the cloud providers, compliance or the security team themselves - but in fact, we all need to be accountable in our data/security journey. 

We also discussed the challenges around anonymising data and the handling of medical data, how AI is changing things and what security teams can do to make sure we collaborate with the data team in a way that works for all parties involved. 

This week we are joined by Bec McKeown, a chartered psychologist with extensive experience in carrying out applied research for organisations including the UK Ministry of Defence and the founder and director of Mind Science, an independent organisation that works with cybersecurity professionals

Last episode we ended by talking with Bec about how cybercriminals leverage the fight-or-flight response and get you to do things you wouldn’t normally do, like share bank details, through amygdala hijacking. Bec concluded the episode by giving us some great advice on how we can retrain ourselves NOT to be so reactive and hopefully, stop ourselves from doing something rash.

In this episode, Awareness ≠ Behavioural Change - Rethinking Cybersecurity Training, we’re going to build upon what Bec discussed last week, a cyber psychology 101 if you will, and see how we practically apply key psychological concepts like cognitive agility, convergent and divergent thinking and meta-cognitive skills to things like tabletop exercises and security awareness training.

This week we are joined by Bec McKeown, a chartered psychologist with extensive experience in carrying out applied research for organisations including the UK Ministry of Defence and the founder and director of Mind Science, an independent organisation that works with cybersecurity professionals

In this episode, Hands Off My Amygdala! The Psychology Behind Cybersecurity, we are going to hear about Bec’s varied and interesting career in advising people in highly stressful situations to be reflective and not reactive, and how they cannot only learn from their actions but become masters of them. 

This episode is a smorgasbord of psychological concepts that will make you think twice about how you normally run your security awareness programme and but also your tabletop exercise too. And crucially, learn why people act the way they do during an actual cybersecurity incident.

This week we are joined by Sabrina Segal, an integrity, risk, and compliance advisor, with almost 20 years of experience in the public, private, and third-sectors. 

In this week’s episode, Bringing the Curtain Down on Risk Theatre and Applauding objective-centred Risk Management, Sabrina shares with us, a quite frankly amazing model to work from: The OCRM, Objective-centred Risk Management. 

This model a great antidote to what Sabrina describes as ‘risk theatre’ which is the performance of risk governance activities, without real substance or accountability but with the dangerous consequence of making an organisation still feel like they have ‘done something’ when really it’s not worth the paper, or Excel doc, it is written on. This approach is scalable, practical, and effective, and it can help you achieve your goals while managing your risks and opportunities.

Key Takeaways:

Shift the Focus: Ditch the risk register and start with your objectives. What are you trying to achieve? What could stop you? This simple change aligns risk with your mission and drives informed decision-making.

Price Your Risks: Don't just identify risks, quantify them. Calculate the resource and software costs associated with each. This transparency reveals your true risk appetite and exposes gaps between rhetoric and reality.

Go-No-Go Decisions: OCRM empowers you to make clear, objective decisions based on risk pricing. Is the potential upside worth the cost? This eliminates wasted time and resources on low-impact risks.

Psychological safety: How to create an environment where employees feel empowered to speak up and challenge the status quo, even about risks.

The "halo effect": How the good work of charities and non-profits can sometimes mask poor risk management practices.

Utilising External Board Members: How to ensure they have the full picture and can effectively advise on cyber risks.

This week we are joined by Sabrina Segal, an integrity, risk, and compliance advisor, with almost 20 years of experience in the public, private, and third-sectors.

In this episode, Not New, but Novel - Tackling Risk in the Third Sector, We take a look at the challenges facing the third sector when it comes to cybersecurity and technology risks. The third sector, which includes charities and non-profits, is often overlooked or underestimated when it comes to cybersecurity and risk management. But this sector faces unique challenges and opportunities that require a novel and holistic approach to risk.

Sabrina has a really refreshing take on risk and we will hear how she enables her clients to get to grips with what she calls ‘tolerable risk’ and why we can’t avoid risks, but we can reframe risks to not only identify threats but also opportunities. While at the same time, making sure everyone cares about risk, not just people with ‘risk manager’ in their title!

Key Takeaways:

Forget Risk Appetite and Risk Matrices - Embrace ‘risk awareness’ tailored to your mission and your organisation’s objectives

Identify Your ‘Tolerable Risk’ - Risk can’t be avoided but we can identify and work within our ‘risk tolerance’ for better informed decisions

Risk is a Two-Sided Coin - It’s not just about threats but opportunities too, and it’s much easier for people to get excited about opportunities than threats!

Don’t Greenwash Those “Charity Days” - Forget painting the fence, litter picking or sorting cans, instead donate your cybersecurity expertise for maximum impact

Risk Is Everyone’s Job - Ditch the ‘risk manager’ title and empower everyone to be a risk champion!

This Episode we are joined by Amy Kouppas, a Scrum Master, D&I lead, and founder of a Women’s Health & Wellbeing group at Sky. 

We are talking about all things agile and scrum! Most organisations have some form of agile methodologies, and the likelihood is, yours does too but what is it? What is Kanban? What is Scrum? What does a Scrum master do and why are they always sprinting? Amy helps us answer these questions and more in this episode: Fun with Purpose - A Scrum Guide! 

In this Episode we cover:

Scrum Master: Coach, Not Boss: Ditch the project manager stereotype. A scrum master is a facilitator, coach, and mentor, guiding the team towards self-organisation and autonomy. Their ultimate goal? To make themselves obsolete by fostering a team that thrives independently.

Empowerment & Creativity: Scrum unleashes the full potential of your team. They become accountable, empowered, and free to be creative within the sprint framework. This fosters a culture of continuous improvement where everyone contributes to success.

Documentation - Enough is Enough: The agile manifesto doesn't advocate for zero documentation. It emphasises "just enough" documentation. Focus on clear, concise information that supports transparency and efficient collaboration.

Retrospectives with a Twist: Retrospectives are the beating heart of scrum. Make them engaging and fun with themes, games, and even time capsules. This playful approach fosters honest reflection and continuous improvement.

This Episode we are joined by Damjan Obal, Head of design at Ardoq, lecturer and international speaker on all things design and data.

In this episode, And the Bafta for Best Cybersecurity Awareness Training Goes To…, we are looking at how we practically apply design principles to our security awareness programmes, with things like design thinking, the double diamond design method, opportunity solution trees and much much more!

We also look at the dangers of gamification and how to get your bafta-winning moment when delivering your security message to the business!

In this Episode we cover:

Convenience vs. Security: The Eternal Battle: You’re late for a meeting, and that pesky password reset pops up. What do you do? Convenience often wins, and that’s where security takes a hit. We’ll explore shortcuts, trade-offs, and the delicate balance between ease and safety.

Data Storytelling: Making Ones and Zeros Relatable: Security teams deal with mountains of data. But how do they turn it into compelling narratives? Whether it’s the sheer quantity of incidents or the relentless attacks, we’ll reveal how to tell data-driven stories that resonate.

Infographics: A Picture Is Worth a Thousand Alerts: Enter the superhero of visual communication: infographics! We’ll explore how these bite-sized graphics simplify complex security concepts. From breach timelines to threat landscapes, infographics make data digestible for everyone.

Tangibility in the Intangible: Making Cybersecurity Real: Cybersecurity can feel abstract, like chasing shadows. Think metaphors, analogies, and relatable scenarios. Because securing data isn’t just about 1s and 0s—it’s about protecting our digital existence.

The Gamification Dilemma: Fun vs. Functionality: Gamification is all the rage, but is it always the answer? Not necessarily. Remember, not every challenge needs a leader board.

This Episode we are joined by Damjan Obal, Head of design at Ardoq, lecturer and international speaker on all things design and data.

In this episode, F.U.D OFF! - Cybersecurity Awareness Beyond Compliance and Boredom, we learn from Damjan about the importance of storytelling, the difference between game theory and gamification, what accessibility champions get so right that we in security get it so wrong, and how to design a security awareness programme that resonates with people and encourages empathy and behavioural change.

F.U.D - Fear, uncertainty and Doubt have been a mainstay in cybersecurity messaging but is it serving us or is it just turning people off our messaging? Find in this episode if there is another way and if we should just tell F.U.D to F.U.D off for good!

—————————————————————————————————

In this Episode we cover:

How to use storytelling effectively: Why do we only talk about the stuff nobody cares about when we have such great stories to tell!

Finding your ‘WHY’: The first steps towards making your security engagements salient, relevant and focused on the bigger picture

Game Theory vs. Gamification: How do you use either effectively to make security awareness training more interesting and relevant

F.U.D Off: Why fear-mongering doesn’t work and how the odd joke might engage your audience better

Lessons from the world of accessibility: Learning how the principles of good accessibility might lead to better security controls and buy-in

This Episode we are joined by James Hall, developer and Founder of Parallex, a digital consultancy that focuses on ‘building better digital experiences together’.

In this episode, That’s illuminating! Protecting Aberdeen’s IOT Street Lights from Cyber attacks! James shares his experience on securing public utilities, other IOT devices, how he ‘sells’ security as a value add to his stakeholders, and if Bug Bounties are actually worth doing!

—————————————————————————————————

In this Episode we cover:

Agile means no documentation right? Wrong! While documentation is certainly lighter in agile teams, it doesn’t mean it is completely absent. But this lightweight style does bring its challenges and teams need to avoid keeping it all ‘in their head’ if they want security teams to understand what they are building and the security challenges that may come with that. James tells us about the danger of assuming prior knowledge and gives advice on how to test your documentation by giving it to the most junior member of the team and seeing if they can follow it. But while documentation is important we need to remember that…

Shared documentation is not the same as shared knowledge. It is not enough to ensure that everyone on the team is aware of the security requirements. It is important to have open communication channels and encourage team members to ask questions and share their knowledge.

Paired programming would help fill in the blind spots of any security issues there might be. It is important to acknowledge that there are things that we don’t know as developers and paired programming with a member of the security team can help fill in these gaps. By working together, team members can share their knowledge and learn from each other.

Securing IOT devices is challenging because hardware manufacturers don’t have an incentive to make their products secure. This is a major challenge in securing IoT devices, and it is important to be aware of this when designing solutions that rely on IOT devices.

Bringing risk to life is important otherwise people will ignore it. It is important to communicate the risks associated with cyber-attacks in a way that is easy to understand.

Today we are joined by Paula Cizek, Chief Research Officer at Nobl, where she guides leaders and teams through the change management process, from assessing the organization’s readiness for change to implementing initiatives. In this episode, we explore the fascinating topic of Corporate Change and how its lessons can be applied to cybersecurity.

In the vast ocean of the corporate world, change is as constant as the tides. It can be exhilarating for some and daunting for others. As leaders, we often stand at the helm, eager to navigate new courses. Yet, we must remember, that not all aboard share the same vision or enthusiasm for these uncharted waters.

Why is it scary for many? How do leaders balance the excitement of innovation with the practicalities and emotions of their teams? We’ll explore the dichotomy of change - the loss and the gain, the risk and the reward.

We'll unpack the layers of change management, from the first ripples of a new idea within the executive team to the waves it creates throughout an organization. How do we bring everyone on deck, giving them the time to adjust their sails and embrace the journey?

We'll also navigate the treacherous waters of resistance. Not every objection is an excuse, and sometimes, they signal hidden icebergs. How do we, as leaders, distinguish between the two?

So, tighten your lifejackets and get ready to dive into the deep end of transformation. In this episode “Shift Happens: The Art of Navigating the Seas of Cyber Change”.

—————————————————————————————————

In this Episode we cover:

Why there’s such a gap between the exec team and boots on the ground when it comes to accepting and being excited by change

The difference between “Fail Safe” and “Safe to Fail” changes and projects

Why we should Start with the Skateboard

That not every objection to change is an excuse

How to communicate change effectively

Being comfortable with being uncomfortable when it comes to negotiation

Why Risk and Uncertainty are different beasts